FortiOS 7.2
7.2
Os Release
· FortiOS Series
Is FortiOS 7.2 still maintained?
For now. Fortinet maintenance for FortiOS 7.2 ends on 2026-09-30, with engineering fixes (incl. security) stopping 2025-03-31. Schedule the upgrade before then. See Fortinet's lifecycle bulletin.
When do security fixes for FortiOS 7.2 stop?
Engineering fixes for FortiOS 7.2 — including security patches — stop on 2025-03-31. After that date, a device on this release cannot be patched against newly disclosed vulnerabilities without upgrading, which is the point that matters for KEV exposure and compliance.
What should I upgrade FortiOS 7.2 to?
Upgrade to a currently maintained Fortinet release. Check the release-train table on the vendor page for the nearest supported version.
What known-exploited CVEs apply to the FortiOS 7.2 past end of support?
4 CVEs in CISA's Known Exploited Vulnerabilities catalog affect Fortinet FortiOS. Because FortiOS 7.2 is past end of engineering, it will not receive fixes for them — a device left on this release is exploitable with no patch available. Upgrade to a maintained release. See the Known Exploited Vulnerabilities table below for the full list.
Known Exploited Vulnerabilities
This device is past Fortinet's security-support date. 4 CVEs in CISA's Known Exploited Vulnerabilities catalog apply to the platform it runs. Fortinet is not issuing patches for this model. Isolate, compensate, or refresh.
| CVE | KEV added | Vulnerability | Flags |
|---|---|---|---|
CVE-2024-21762
|
Fortinet FortiOS Out-of-Bound Write Vulnerability | Ransomware | |
CVE-2023-27997
|
Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability | Ransomware | |
CVE-2022-41328
|
Fortinet FortiOS Path Traversal Vulnerability | ||
CVE-2022-42475
|
Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability | Ransomware |
Source: CISA Known Exploited Vulnerabilities catalog. The Ransomware flag reflects CISA's own knownRansomwareCampaignUse field, set when the CVE has been observed in ransomware campaigns per their threat intel. It's not a property of the vulnerability description itself.
Correlation is at the platform level, not per-OS-version. Not exhaustive: KEV only lists actively-exploited CVEs and many relevant unexploited vulnerabilities are not here. Verify against vendor security advisories (PSIRT, JSA, PAN-SA) and NVD before acting. See compensating controls if refresh isn't immediate.
FortiOS 7.2 Release Lifecycle
FortiOS 7.2 is a Fortinet FortiOS software release. Releases are maintained on a fixed schedule: Fortinet ships fixes and security patches until the release reaches end of engineering, after which a device must be upgraded to a maintained release to stay patchable. The dates below are milestones for the software train, not for any specific appliance — hardware running this release has its own separate lifecycle. Fortinet support for this product is ending soon. The last date of support is . After that date, no further software updates, security patches, or hardware replacements will be provided.
Lifecycle Milestones
| Lifecycle notice published | 4y 4mo ago | |
|---|---|---|
| End of software maintenance | 1y 4mo ago | |
| End of security vulnerability support | 1y 4mo ago | |
| Last date of support | in 2mo |